Using Fortanix Data Security Manager with Keyfactor IIS Orchestrator

1.0 Introduction

This article describes the configuration steps required on Fortanix Data Security Manager (DSM) and Keyfactor to store the RSA key pairs for Internet Information Services (IIS) web server certificates.

2.0 Architecture

Figure 1: DSM with Keyfactor IIS Orchestrator Architecture

The Keyfactor IIS orchestrator can remotely manage the certificates and their bindings that are bound to Internet Information Server (IIS) websites. An RSA key for the certificate can be generated and stored on Fortanix Data Security Manager throughout the certificate enrollment procedure from the Keyfactor command centre.

The Universal Orchestrator is part of the Keyfactor software distribution and is available using the Keyfactor customer portal.

2.1 Keyfactor IIS Orchestrator Workflow

 Figure 2: DSM with Keyfactor IIS Orchestrator workflow

1. A user creates the certificate enrollment request in the Keyfactor Command Portal.
2. The Keyfactor Orchestrator frequently checks for new jobs, and if a new enrollment request is found, the Keyfactor Orchestrator sends a Certificate Signing Request (CSR) generation request to the target machine
3. The target machine, which already has the Fortanix CNG client installed and configured using this machine, generates the CSR request
4. The CSR request is then submitted back to the Keyfactor Orchestrator and then to the Command Portal to sign in.
5. The Keyfactor Command Portal must be pre-configured with the desired Certificate Authority (CA) to submit the signing request.
6. The Keyfactor Command Portal then sends the signed certificate back to the Keyfactor Orchestrator.
7. The Keyfactor Orchestrator adds that certificate to the machine trust store and binds it to the IIS Webserver.

3.0 Prerequisites

1. Fortanix CNG Client (Download)
2. Fortanix API key to configure CNG client.
3. Windows IIS server admin access to install the CNG client.
4. Keyfactor Portal access to configure Orchestrator and for the certificate enrollment process.
5. Keyfactor Universal IIS Orchestrator version 10.1.1 or later.

4.0 Integration Steps

4.1 Fortanix DSM Configuration

1. Create an account in Fortanix DSM if you do not have one already. See the Getting Started for more information.
2. Create a new group, for example: “Keyfactor IIS Orchestrator”, for storing the RSA key.
3. Create an application (app) in Fortanix DSM in the group created in Step 2 and copy the API key.
   1. In your Fortanix DSM account, go to the Applications tab, and create a new app in the same group as Step 2.            
   2. After the app is created, click COPY API KEY to copy the API key and save it in a notepad.
4. Install the Fortanix CNG client using the steps described here.
5. Configure the Fortanix CNG client using the steps described here.

4.2 Key Factor Configuration

This section describes the steps required to configure the Keyfactor IIS Orchestrator. For a more detailed explanation, see https://github.com/Keyfactor/iis-orchestrator.

1. Register the IIS universal Orchestrator with Keyfactor
   See the Keyfactor documentation, InstallingKeyfactorOrchestrators.pdf. Contact your Keyfactor representative for more details. Also make sure the IISU extension is enabled or configured on the Keyfactor Orchestrator.
   
   Figure 3: Register IIS Orchestrator with Keyfactor
2. Create the new certificate store type for the IIS Orchestrator: On the Keyfactor homepage, go to Settings (cog wheel icon) > Certificate Store Types > ADD
   
   Figure 4: Add Certificate Store
   • Certificate Store Type settings: Basic
     Figure 5: Certificate Store Type Basic Settings
   • Certificate Store Type settings: Advanced
     
     Figure 6: Certificate Store Type Advanced Settings
   • Certificate Store Type settings: Custom Fields
     Figure 7: Certificate Store Type Custom Fields
   • Certificate Store Type settings: Entry Parameters
     
     Figure 8: Certificate Store Type Entry Parameters
     NOTE

     For the certificate that a reenrollment job is enrolling, the Provider Name field is required to generate and store the private key in the Fortanix DSM.
3. Create an IIS binding certificate store within the Keyfactor command center: On the Keyfactor home page, click Locations > Certificate Stores from the drop down menu.
   Figure 9: IIS Binding Certificate Store
   
   Figure 10: Add Certificate Store

4.3 Certificate Enrollment

1. In the Management Portal, browse to Locations > Certificate Stores.
2. On the Certificate Stores page, select the Certificate Stores tab (the default when you first visit the page)
3. On the Certificate Stores tab, highlight the certificate to reenroll in the Certificate Stores table and click the REENROLLEMENT button at the top of the table or right-click the store location in the table and select Reenrollment from the right-click menu.
4. On the Reenrollment dialog, enter the following:
   • Subject Name for the new certificate using X.500 format
   • Port where to bind the site
   • IP address
   • SNI Flag
   • Protocol
   • Provider Name as Fortanix KMS CNG Provider
   • Site Name
   • SAN (optional)
   • Hostname
   • Certificate Authority
   • Select a Template
   NOTE

   If you do not select a template or CA for reenrollment, the values configured for the "Template for Submitted CSRs" and/or "Certificate Authority for Submitted CSRs" application setting(s) (see Application Settings in Keyfactor) will be used.
5. Click Done to submit the request.
   
   Figure 11: Certificate Reenrollment
   

   The reenrollment job will be scheduled to run immediately. Visit the Orchestrator Jobs page to check the progress of the job.
   
   Figure 12: Reenrollment Job

4.3.1 Binding

Check the binding status on IIS Site Binding settings.

Figure 13: Binding Status

4.3.2 Certificate

Check the certificate on the IIS server to confirm the cryptographic provider.

Figure 14: IIS Server Certificate